Merge pull request #46473 from nextcloud/feat/restrict_admin_to_ips

feat(security): restrict admin actions to IP ranges

4 files changed, 124 insertions, 0 deletions

diff --git a/lib/public/Security/Ip/IAddress.php b/lib/public/Security/Ip/IAddress.php
new file mode 100644
index 00000000000..242418962fc
--- /dev/null
+++ b/lib/public/Security/Ip/IAddress.php
@@ -0,0 +1,35 @@
+<?php
+
+declare(strict_types=1);
+/**
+ * SPDX-FileCopyrightText: 2024 Nextcloud GmbH and Nextcloud contributors
+ * SPDX-License-Identifier: AGPL-3.0-or-later
+ */
+
+namespace OCP\Security\Ip;
+
+/**
+ * @since 30.0.0
+ */
+interface IAddress {
+	/**
+	 * Check if a given IP address is valid
+	 *
+	 * @since 30.0.0
+	 */
+	public static function isValid(string $ip): bool;
+
+	/**
+	 * Check if current address is contained by given ranges
+	 *
+	 * @since 30.0.0
+	 */
+	public function matches(IRange... $ranges): bool;
+
+	/**
+	 * Normalized IP address
+	 *
+	 * @since 30.0.0
+	 */
+	public function __toString(): string;
+}
diff --git a/lib/public/Security/Ip/IFactory.php b/lib/public/Security/Ip/IFactory.php
new file mode 100644
index 00000000000..3b88aa8c756
--- /dev/null
+++ b/lib/public/Security/Ip/IFactory.php
@@ -0,0 +1,30 @@
+<?php
+
+declare(strict_types=1);
+/**
+ * SPDX-FileCopyrightText: 2024 Nextcloud GmbH and Nextcloud contributors
+ * SPDX-License-Identifier: AGPL-3.0-or-later
+ */
+
+namespace OCP\Security\Ip;
+
+/**
+ * @since 30.0.0
+ */
+interface IFactory {
+	/**
+	 * Creates a range from string
+	 *
+	 * @since 30.0.0
+	 * @throws \InvalidArgumentException on invalid range
+	 */
+	public function rangeFromString(string $range): IRange;
+
+	/**
+	 * Creates a address from string
+	 *
+	 * @since 30.0.0
+	 * @throws \InvalidArgumentException on invalid IP
+	 */
+	public function addressFromString(string $ip): IAddress;
+}
diff --git a/lib/public/Security/Ip/IRange.php b/lib/public/Security/Ip/IRange.php
new file mode 100644
index 00000000000..70e1815c75e
--- /dev/null
+++ b/lib/public/Security/Ip/IRange.php
@@ -0,0 +1,37 @@
+<?php
+
+declare(strict_types=1);
+/**
+ * SPDX-FileCopyrightText: 2024 Nextcloud GmbH and Nextcloud contributors
+ * SPDX-License-Identifier: AGPL-3.0-or-later
+ */
+
+namespace OCP\Security\Ip;
+
+/**
+ * IP Range (IPv4 or IPv6)
+ *
+ * @since 30.0.0
+ */
+interface IRange {
+	/**
+	 * Check if a given range is valid
+	 *
+	 * @since 30.0.0
+	 */
+	public static function isValid(string $range): bool;
+
+	/**
+	 * Check if an address is in the current range
+	 *
+	 * @since 30.0.0
+	 */
+	public function contains(IAddress $address): bool;
+
+	/**
+	 * Normalized IP range
+	 *
+	 * @since 30.0.0
+	 */
+	public function __toString(): string;
+}
diff --git a/lib/public/Security/Ip/IRemoteAddress.php b/lib/public/Security/Ip/IRemoteAddress.php
new file mode 100644
index 00000000000..19a1dab9734
--- /dev/null
+++ b/lib/public/Security/Ip/IRemoteAddress.php
@@ -0,0 +1,22 @@
+<?php
+
+declare(strict_types=1);
+/**
+ * SPDX-FileCopyrightText: 2024 Nextcloud GmbH and Nextcloud contributors
+ * SPDX-License-Identifier: AGPL-3.0-or-later
+ */
+
+namespace OCP\Security\Ip;
+
+/**
+ * IP address of the connected client
+ *
+ * @since 30.0.0
+ */
+interface IRemoteAddress {
+	/**
+	 * Check if the current remote address is allowed to perform admin actions
+	 * @since 30.0.0
+	 */
+	public function allowsAdminActions(): bool;
+}